Re: Opencryptoki fixes for CVE-2024-0914

To: Bastien Roucariès <rouca@debian.org>
Cc: security@debian.org, debian-lts@lists.debian.org, Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: Opencryptoki fixes for CVE-2024-0914
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 22 Jun 2024 18:10:41 +0300
Message-id: <[🔎] ZnbpcdMbmUqeDVcv@localhost>
In-reply-to: <[🔎] 2330786.eFajVc2raq@portable-bastien>
References: <[🔎] 2330786.eFajVc2raq@portable-bastien>

On Sat, Jun 22, 2024 at 11:04:49AM +0000, Bastien Roucariès wrote:
> Hi,

Hi Bastien,

> After a few hours I get the impression that fixing  CVE-2024-0914 even for bookworm will be extremly hard (lack of constant time operation, massive code change...)
> 
> I suppose the best way is to a full bakport of unstable way to buster and for ELTS to stretch/jessie
> 
> What it your point of view about this ?

after a quick look, backporting the latest openCryptoki to jessie might 
be more work than backporting the fixes to the version in jessie since 
you have to revert the OpenSSL API changes.

The CVE is marked "<no-dsa> (Minor issue)" in (old)stable, and CVE-2022-4304
for the same issue is ignored in OpenSSL 1.0 in jessie and stretch.

If backporting to older openCryptoki versions is not feasible,
I'd suggest to ignore the CVE.

> Bastien

cu
Adrian

Reply to:

References:
- Opencryptoki fixes for CVE-2024-0914
  - From: Bastien Roucariès <rouca@debian.org>

Prev by Date: Opencryptoki fixes for CVE-2024-0914
Next by Date: Re: varnish question
Previous by thread: Opencryptoki fixes for CVE-2024-0914
Next by thread: LTS meeting notes
Index(es):
- Date
- Thread